Well, well, hours after telling you not to change passwords, now I am telling you to change it… but this time with good reason. Minutes ago I’ve received a email from Atlassian:

We are sending you this message because we experienced a security breach and suspect that your Atlassian customer account password details (only) may have been compromised.
It is very unlikely that an unauthorised user has had the opportunity to log in to your account so far and if they have, there is very little in the way of personal information which could have been accessed. However, to minimise any further risk to your Atlassian account being compromised, we strongly recommend that you change your Atlassian account password as soon as possible using the procedure below.
Be aware that this security issue only affects Atlassian customers who created an Atlassian account and purchased one of our products before June 2008. Since then, we have been using a more secure user management system based on Atlassian’s Crowd product. When you change your Atlassian account password using the procedure below, your Atlassian customer account details will be stored in our updated Crowd user management system, which will further minimise the chance of a security breach occurring in future.
Procedure for changing your Atlassian customer account password:
1) Login to http://my.atlassian.com
2) Click “My Profile” (3rd tab)
3) Click “Change Password” (in Contact Information section)
4) Update your password to a new value
Atlassian apologises for the inconvenience caused. However, this is an extremely rare event for us and since we take security issues seriously, we are taking every precaution possible to minimise the effects of this security breach.

Sincerely/Best regards,
Glenn Butcher
Director of IT

Not fun .. and I expect to we’ll hear more from Atlassian soon. For now they are obviously figthing whatever it is – status update from Twitter:

Atlassian had a security breach. Apologies for the confusion. Our site is experiencing heavy loads. We are working on getting back up ASAP.

Personally I am safe – I don’t have active accounts, just decided to help push Atlassian’s charity towards the finish line by purchasing 10 licences, but if you do, time to change the passwords…

Apparently an old, inactive database table that had already been migrated in July 2008 to the secure Crowd identity management system was not deleted mistakenly. That indirectly answers the speculation about Atlassian passwords being stored in plain text format. They are not – anymore, but they used to be, prior to July 2008.

Mike goes on to detail what was / was not compromised: read for changes, they are resetting potentially compromised account passwords now.

He does not BS, owns up the mistake:

We made a big error. For this we are, of course, extremely sorry. The legacy customer database, with passwords stored in plain text, was a liability. Even though it wasn’t active, it should have been deleted. There’s no logical explanation for why it wasn’t, other than as we moved off one project, and on to the next one, we dropped the ball and screwed up.

They are still investigating what happened and Mike promises full disclosure, coming this week.

It’s been a bad day for Atlassian and some of their customers – but I’m glad they live up to their “Open Company, No Bullshit” slogan, and respond as expected.

I’m not a security expert and don’t pretend to be one, but half-cooked advice on fundamental security issues p***es me off big time. Today it’s a lengthy article at the Boston Globe: Please do not change your password.

It’s based on a study by a Microsoft researcher, who concludes that regularly changing passwords is a big waste of time – so far so good and I’ve just saved you reading 3 pages –but what’s the conclusion?

It all makes sense, except that it’s hard to do. Statistics show that over 60% of Internet users have a favorite set of login credentials and they use that single set across many systems. Very-very dangerous, but the reason we do it is that this is what we can remember easily.

The missing piece from the advice is how we deal with the “bullet-proof” and unique set of login credentials we create on dozens of systems we need to log in. Some people will develop a formula to make up such passwords – too bad such patterns are often recognizable. Others will write them down … ouch!

So we’re left with two options:

physical devices, be it lists, passcode cards, USB sticks..etc, what if you lose them?

password management systems like Keypass, Lastpass, Passspack, Syferlock… – what if they get compromised?

I’ve just received one of those “Hey, I just added you to my Mafia family. You should accept my…” crap-spam-junk invitations on Twitter. Normally these come from accounts I don’t recognize, and I either ignore or block them. But this time it came from a gray-haired, well-respected industry analysts – I just could not imagine him getting involved. When I contacted him he told me he himself received 75 Mafia invitations – but the fact that I received it in his name suggests his account got compromised.

He had already changed his Twitter password, yet the hijackers kept on using his account. That reminded me to share this: changing your password is no longer sufficient to regain control. I don’t pretent to be a security expert (which we have a few over @ CloudAve), but since more and more Twitter apps are “doing the right thing” and use OAuth authentication, those connections stay valid even after a password change. So here’s what you should do: go to http://twitter.com/account/connections and check out all the applications listed there.

You may be surprised… the stupid lil’ thing you had checked out and decided you did not like after 5 minutes still sits there, fully authorized. So do yourself a favor, prune the list. Whatever you don’t recognize, or no longer want, click “revoke access” – it’s that simple.

(Note: The image above does not depict “bad guys”. it’s a screen shot of my account and I don’ have any – or so I hope.)